[Snort-sigs] SID: 8440

Nigel Houghton nigel at ...435...
Mon Apr 23 18:48:07 EDT 2007


On  0, Paul Schmehl <pauls at ...1311...> wrote:
> --On Monday, April 23, 2007 17:25:39 -0400 Nigel Houghton 
> <nigel at ...435...> wrote:
> 
> >On  0, Paul Schmehl <pauls at ...1311...> wrote:
> >>Can someone help me understand what this rule is looking for?
> >>
> >>alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv2 openssl
> >>get  shared ciphers overflow attempt"; flow:to_server,established;
> >>flowbits:isnotset,sslv3.server_hello.request;
> >>flowbits:isnotset,sslv2.client_hello.request;
> >>flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|";
> >>depth:2;  offset:2; byte_test:2, >, 256, 1, relative;
> >>reference:bugtraq,20249;  reference:cve,2006-3738;
> >>reference:url,www.openssl.org/news/secadv_20060928.txt;
> >>classtype:attempted-admin; sid:8440; rev:2; )
> >>
> >>Here's the relevant bits of the payload:
> >>17 03 01 03 00 BE D6 67 8E B4 DA 4F A9 9A 93 9D
> >>18 A8 39 65 B8 6F 33 A8 7C E0 42 B7 E4 E0 66 2F
> >>
> >>As I understand it, the packet must have |01 03| at a depth of 2 bytes.
> >>Then, at an offset of two bytes from that a byte_test of the next 2
> >>bytes  should not exceed 256.  So that would mean that D6+67 is greater
> >>than 256?
> >
> >The rule is looking for a content of 01 03 at an offset of 2 bytes from
> >the start of the packet data with a depth of 2 bytes (01 03 is two
> >bytes). Then it looks at the two bytes following at a distance of 1 byte
> >from the previous content match to see if the value is greater than 256,
> >if it is then alert because it may be an attempt to overflow a buffer by
> >sending too much data.
> >
> OK, I muffed that horribly.  :-(
> 
> At an offset of two bytes, for a depth of two bytes, the content should be 
> |01 03|, right?

Yes.

> Now where the heck is the byte_test?  The next two bytes?  In that case it 
> would be |00 BE|, which is not >256, so that can't be right.

No, the byte_test has the form 
 byte_test:<how many bytes>,<operator>,<size>,<offset>,<optional modifiers>;

So, in this case, check for the content match then byte_test:2,>,256,1,relative 
says get two bytes, see if they are bigger than 256 and start 1 byte from the 
end of the previous content match (note the relative modifier). Which means, 
that you are looking at "BE D6" which is indeed much larger than 256.

> I appreciate you pointing to the RFC, but as I said, I don't read geek. 
> Where can I find something that says something like this:
> The first two byes define the version of ssl being used: here are the 
> possibilities.  The next two bytes define X, and here are the possible 
> values.  Etc., etc., etc.
> 
> Someone needs to translate the RFCs into English.

Yeah, that would be a good thing :)

I think that the Netscape specs I pointed to are however, very good and
explain SSL communications very well indeed.

-- 
Nigel Houghton
Office Linebacker
SF VRT




More information about the Snort-sigs mailing list